Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use IAM instance profiles for S3 authentication #1067

Closed
kamsz opened this issue Jun 27, 2017 · 7 comments
Closed

Use IAM instance profiles for S3 authentication #1067

kamsz opened this issue Jun 27, 2017 · 7 comments
Labels
help: wanted type: feature suggestion suggesting a new feature

Comments

@kamsz
Copy link
Contributor

kamsz commented Jun 27, 2017
edited

Instead of passing key/secret, there should be a possibility to use metadata server to retrieve key/secret from IAM instance profile. Minio supports this approach, but there's no documentation how to configure that and it doesn't work out of the box with s3:s3.amazonaws.com/bucket URL.

Probably requires moving from minio.New to minio.NewWithCredentials.
@fd0
Copy link
Member

fd0 commented Jun 27, 2017

I need to look into this.

@fd0 fd0 added type: feature suggestion suggesting a new feature help: wanted labels Jun 27, 2017
@kamsz
Copy link
Contributor Author

kamsz commented Jun 28, 2017
edited

I've done a very quick test on update-minio-go branch of yours with a small change:

	iam := credentials.NewIAM("")

	client, err := minio.NewWithCredentials(cfg.Endpoint, iam, !cfg.UseHTTP, "")
	if err != nil {
		return nil, errors.Wrap(err, "minio.New")
	}

Works perfectly. Not sure how to support multiple providers - I believe ChainCredentials struct is responsible for that.

@fd0
Copy link
Member

fd0 commented Jun 28, 2017

Interesting, thanks for trying. What's the parameter string you're passing to NewIAM?

@kamsz
Copy link
Contributor Author

kamsz commented Jun 28, 2017
edited

An empty string as in the example. It should fetch all the required data from metadata server itself.

@fd0
Copy link
Member

fd0 commented Jul 5, 2017

So, I'd be willing to merge support for IAM in, but I don't have the time to do it (and properly integrate it so that you can still give restic the credentials via the environment variables). I'd be happy to review the code and help integrating it though.

@kamsz
Copy link
Contributor Author

kamsz commented Jul 5, 2017

#1086

@kamsz kamsz mentioned this issue Jul 5, 2017
Merged
@fd0 fd0 closed this as completed in #1086 Jul 5, 2017
@fd0
Copy link
Member

fd0 commented Jul 5, 2017

thanks!

@harshavardhana harshavardhana mentioned this issue Oct 9, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help: wanted type: feature suggestion suggesting a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fd0 @kamsz